Trojan.Dropper.BCMiner

deathmachine78 · July 11, 2012

I'm not sure how to remove this as it continues reinstall itself upon reboot. I get random redirects.

The two logs as directed:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1

Run by Thebabinator at 10:44:40 on 2012-07-11

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12279.10559 [GMT -4:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Realtek\Audio\HDA\DTSAudioService64.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe

C:\Program Files\Microsoft LifeCam\MSCamS64.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Windows\vVX3000.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files (x86)\ASUS\TurboV\TurboV.exe

C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.ask.com/?l=dis&o=2159&gct=hp

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll

mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"

mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [TurboV] "C:\Program Files (x86)\ASUS\TurboV\TurboV.exe" -b

mRun: [QFan Help] "C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe"

mRun: [Cpu Level Up help] "C:\Program Files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab

TCP: DhcpNameServer = 192.168.42.1

TCP: Interfaces\{E575539B-AF1D-4ADC-ADF4-0863264C25F7} : DhcpNameServer = 192.168.42.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

BHO-X64: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll

BHO-X64: Yontoo Layers - No File

mRun-x64: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"

mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

mRun-x64: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [TurboV] "C:\Program Files (x86)\ASUS\TurboV\TurboV.exe" -b

mRun-x64: [QFan Help] "C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe"

mRun-x64: [Cpu Level Up help] "C:\Program Files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Thebabinator\AppData\Roaming\Mozilla\Firefox\Profiles\piwv4yop.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - about:home

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Thebabinator\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: C:\Users\Thebabinator\AppData\Roaming\Mozilla\Firefox\Profiles\piwv4yop.default\extensions\battlefieldplay4free@ea.com\plugins\npBP4FUpdater.dll

FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

---- FIREFOX POLICIES ----

FF - user.js: extensions.autoDisableScopes - 14

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]

R0 mv91xx;mv91xx;C:\Windows\system32\DRIVERS\mv91xx.sys --> C:\Windows\system32\DRIVERS\mv91xx.sys [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]

R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2012-2-21 90112]

R2 DTSAudioService;DTSAudioService;C:\Program Files\Realtek\Audio\HDA\DTSAudioService64.exe [2011-11-4 210024]

R2 IHA_MessageCenter;IHA_MessageCenter;C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 290832]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-4-21 1262400]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-2 250056]

S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\system32\Drivers\ssadadb.sys --> C:\Windows\system32\Drivers\ssadadb.sys [?]

S3 DroidCam;DroidCam Virtual Audio;C:\Windows\system32\drivers\droidcam.sys --> C:\Windows\system32\drivers\droidcam.sys [?]

S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\system32\DRIVERS\ggflt.sys --> C:\Windows\system32\DRIVERS\ggflt.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-27 113120]

S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]

S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]

S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 pwdrvio;pwdrvio;\??\C:\Windows\system32\pwdrvio.sys --> C:\Windows\system32\pwdrvio.sys [?]

S3 pwdspio;pwdspio;\??\C:\Windows\system32\pwdspio.sys --> C:\Windows\system32\pwdspio.sys [?]

S3 Spyder4;Datacolor Spyder4;C:\Windows\system32\DRIVERS\dccmtr.sys --> C:\Windows\system32\DRIVERS\dccmtr.sys [?]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:\Windows\system32\DRIVERS\ssadbus.sys [?]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows\system32\DRIVERS\ssadmdfl.sys [?]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows\system32\DRIVERS\ssadmdm.sys [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== Created Last 30 ================

.

2012-07-08 18:36:44 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%

2012-07-08 17:50:41 9013136 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F3271E0F-7151-41FE-B35A-37AF6DEF2C68}\mpengine.dll

2012-07-06 22:53:50 9013136 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-07-05 20:25:10 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E9E1C672-FED3-46C3-8EEA-FBBE0C4AFE70}\gapaengine.dll

2012-06-25 19:11:51 -------- d-----w- C:\Windows\.soulsplit

2012-06-23 22:28:51 -------- d-----w- C:\Users\Thebabinator\AppData\Local\Macromedia

2012-06-22 14:12:17 8139072 ----a-w- C:\Windows\System32\nvcuda.dll

2012-06-22 14:12:17 5982528 ----a-w- C:\Windows\SysWow64\nvcuda.dll

2012-06-22 14:12:17 2881856 ----a-w- C:\Windows\System32\nvcuvenc.dll

2012-06-22 14:12:17 2681664 ----a-w- C:\Windows\System32\nvcuvid.dll

2012-06-22 14:12:17 25743168 ----a-w- C:\Windows\System32\nvoglv64.dll

2012-06-22 14:12:17 2524992 ----a-w- C:\Windows\SysWow64\nvcuvid.dll

2012-06-22 14:12:17 2445120 ----a-w- C:\Windows\SysWow64\nvcuvenc.dll

2012-06-22 14:12:17 19607872 ----a-w- C:\Windows\SysWow64\nvoglv32.dll

2012-06-22 14:12:17 14298944 ----a-w- C:\Windows\System32\drivers\nvlddmkm.sys

2012-06-22 14:12:16 25248064 ----a-w- C:\Windows\System32\nvcompiler.dll

2012-06-22 14:12:16 17551680 ----a-w- C:\Windows\SysWow64\nvcompiler.dll

2012-06-22 14:05:30 -------- d-----w- C:\Users\Thebabinator\AppData\Local\{7AD2F1CE-DA85-495B-A4BD-30A64E58AD44}

2012-06-21 13:17:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-21 13:17:29 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-21 13:17:27 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-21 13:17:27 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-18 21:42:24 -------- d-----w- C:\Users\Thebabinator\AppData\Local\{E7573ED6-497E-4785-A615-15C7EE4D2863}

2012-06-18 21:42:14 -------- d-----w- C:\Users\Thebabinator\AppData\Local\{F3DB0B5C-C114-402F-ACE6-755A217F2932}

2012-06-18 21:41:48 -------- d-----w- C:\Users\Thebabinator\AppData\Local\{14BCADF6-5E3B-4018-ACDC-64FAD374D0A5}

2012-06-18 21:41:04 -------- d-----w- C:\Windows\en

2012-06-18 21:39:12 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition

2012-06-18 21:37:06 89944 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\821359151cd4d9a06\DSETUP.dll

2012-06-18 21:37:06 537432 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\821359151cd4d9a06\DXSETUP.exe

2012-06-18 21:37:06 1801048 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\821359151cd4d9a06\dsetup32.dll

2012-06-18 21:37:00 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\7dd180bf1cd4d9a05\DXSETUP.exe

2012-06-18 21:36:59 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\7dd180bf1cd4d9a05\DSETUP.dll

2012-06-18 21:36:59 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\7dd180bf1cd4d9a05\dsetup32.dll

2012-06-18 21:36:19 -------- d-----w- C:\Users\Thebabinator\AppData\Local\Windows Live

2012-06-18 21:36:19 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live

2012-06-13 21:38:58 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-06-13 21:38:58 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-06-13 21:38:58 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-06-13 21:37:13 209920 ----a-w- C:\Windows\System32\profsvc.dll

2012-06-13 21:36:47 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-06-13 21:36:46 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-06-13 21:36:46 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-06-13 21:36:17 3146752 ----a-w- C:\Windows\System32\win32k.sys

2012-06-13 21:35:50 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-06-13 21:35:23 3216384 ----a-w- C:\Windows\System32\msi.dll

2012-06-13 21:35:23 2342400 ----a-w- C:\Windows\SysWow64\msi.dll

2012-06-13 21:34:57 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-06-13 21:34:57 1462272 ----a-w- C:\Windows\System32\crypt32.dll

2012-06-13 21:34:57 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-06-13 21:34:57 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-06-13 21:34:57 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-06-13 21:34:57 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

2012-06-13 02:31:32 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll

2012-06-13 02:31:32 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll

.

==================== Find3M ====================

.

2012-07-09 20:24:54 282104 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr

2012-07-09 20:24:54 282104 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe

2012-07-09 20:24:18 234768 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0

2012-06-23 22:17:26 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-23 22:17:26 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-06-06 18:14:38 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe

2012-05-22 21:32:20 260 ----a-w- C:\Windows\SysWow64\cmdVBS.vbs

2012-05-22 21:32:20 256 ----a-w- C:\Windows\SysWow64\MSIevent.bat

2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll

2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-05-15 10:48:00 8105280 ----a-w- C:\Windows\SysWow64\nvwgf2um.dll

2012-05-15 10:48:00 68928 ----a-w- C:\Windows\System32\OpenCL.dll

2012-05-15 10:48:00 61248 ----a-w- C:\Windows\SysWow64\OpenCL.dll

2012-05-15 10:48:00 2741568 ----a-w- C:\Windows\System32\nvapi64.dll

2012-05-15 10:48:00 2368832 ----a-w- C:\Windows\SysWow64\nvapi.dll

2012-05-15 10:48:00 18044224 ----a-w- C:\Windows\System32\nvd3dumx.dll

2012-05-15 10:48:00 1738048 ----a-w- C:\Windows\System32\nvdispco64.dll

2012-05-15 10:48:00 15322432 ----a-w- C:\Windows\SysWow64\nvd3dum.dll

2012-05-15 10:48:00 1468224 ----a-w- C:\Windows\System32\nvgenco64.dll

2012-05-15 10:48:00 10194752 ----a-w- C:\Windows\System32\nvwgf2umx.dll

2012-05-15 09:29:47 889664 ----a-w- C:\Windows\System32\nvvsvc.exe

2012-05-15 09:29:46 63296 ----a-w- C:\Windows\System32\nvshext.dll

2012-05-15 09:29:46 118080 ----a-w- C:\Windows\System32\nvmctray.dll

2012-05-15 09:29:25 3149632 ----a-w- C:\Windows\System32\nvsvc64.dll

2012-05-15 09:28:42 6151488 ----a-w- C:\Windows\System32\nvcpl.dll

2012-05-15 06:21:50 423744 ----a-w- C:\Windows\SysWow64\nvStreaming.exe

.

============= FINISH: 10:44:51.91 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume3

Install Date: 5/17/2011 7:26:50 PM

System Uptime: 7/11/2012 10:37:43 AM (0 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | P6X58D-E

Processor: Intel® Core i7 CPU 960 @ 3.20GHz | LGA1366 | 3201/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 97 GiB total, 6.224 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 118 GiB total, 97.669 GiB free.

G: is FIXED (NTFS) - 115 GiB total, 12.328 GiB free.

H: is FIXED (NTFS) - 22 GiB total, 22.37 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: Universal Serial Bus (USB) Controller

Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_84131043&REV_03\4&CF85AA7&0&0010

Manufacturer:

Name: Universal Serial Bus (USB) Controller

PNP Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_84131043&REV_03\4&CF85AA7&0&0010

Service:

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: LogMeIn Kernel Information Provider

Device ID: ROOT\LEGACY_LMIINFO\0000

Manufacturer:

Name: LogMeIn Kernel Information Provider

PNP Device ID: ROOT\LEGACY_LMIINFO\0000

Service: LMIInfo

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

µTorrent

Adobe AIR

Adobe Community Help

Adobe Creative Suite 5 Design Premium

Adobe Flash Player 11 Plugin

Adobe Media Player

Adobe Reader X (10.1.3)

Adobe Shockwave Player 11.6

AI Suite

Apple Application Support

Apple Software Update

ASUSUpdate

Battlefield Play4Free

D3DX10

HP USB Disk Storage Format Tool

IHA_MessageCenter

Java Auto Updater

Java 7 Update 4

JavaFX 2.1.0

Malwarebytes Anti-Malware version 1.61.0.1400

marvell 91xx driver

Marvell Miniport Driver

Microsoft Corporation

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft_VC80_ATL_x86

Microsoft_VC80_CRT_x86

Microsoft_VC80_MFC_x86

Microsoft_VC80_MFCLOC_x86

Microsoft_VC90_ATL_x86

Microsoft_VC90_CRT_x86

Microsoft_VC90_MFC_x86

Mozilla Firefox 13.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

NVIDIA 3D Vision Controller Driver

NVIDIA PhysX

NVIDIA Stereoscopic 3D Driver

PDF Settings CS5

PunkBuster Services

PuTTY version 0.61

QuickTime

Realtek High Definition Audio Driver

SamsungPST_SCHI500 DLL for Verizon

SamsungPSTLite

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Skype Click to Call

Skype™ 5.8

Spring 88.0

Steam

swMSM

TurboV

Unity Web Player

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Verizon Wireless Software Utility Application for Android - Samsung

Vz In Home Agent

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Zero-K

.

==== Event Viewer Messages From Past Week ========

.

7/9/2012 9:50:42 PM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

7/7/2012 5:28:51 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

7/11/2012 8:24:29 AM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

7/11/2012 8:22:49 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

7/11/2012 8:22:48 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

7/11/2012 8:22:48 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

7/11/2012 8:22:48 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

7/11/2012 8:22:48 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

7/11/2012 8:22:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

7/11/2012 8:22:42 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

7/11/2012 8:22:29 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AsIO AsUpIO CSC DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

7/11/2012 8:22:29 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

7/11/2012 8:22:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}

7/11/2012 8:16:14 AM, Error: Service Control Manager [7034] - The MSCamSvc service terminated unexpectedly. It has done this 1 time(s).

7/11/2012 8:16:08 AM, Error: Service Control Manager [7034] - The ASUS System Control Service service terminated unexpectedly. It has done this 1 time(s).

7/11/2012 8:15:16 AM, Error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).

7/11/2012 10:37:57 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

7/11/2012 10:37:54 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

7/11/2012 10:37:54 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

7/11/2012 10:37:54 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

7/11/2012 10:37:54 AM, Error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified.

.

==== End Of File ===========================

MrCharlie · July 11, 2012

Welcome to the forum....Please read this:

Your computer is infected with a nasty rootkit. Please read the following information first.
You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.
BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.
I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......
There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
I strongly suggest you back up all of the important items on the system before we continue.
Please let me know you have read this and agree to it.
Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

also.......

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against our policy:

http://forums.malwar...showtopic=97700

MrC

deathmachine78 · July 11, 2012

Ok, i uninstalled uTorrent as directed.

MrCharlie · July 11, 2012

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!!!!!!!)

Post back the report.

MrC

deathmachine78 · July 11, 2012

RogueKiller V7.6.3 [07/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Thebabinator [Admin rights]

Mode: Scan -- Date: 07/11/2012 11:16:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 12 ¤¤¤

[sUSP PATH] {0BECC515-B605-4B70-9119-5D20A43DF913}.job @ : C:\Users\Thebabinator\Desktop\cmospwd-5.0\dos\cmospwd.exe -> FOUND

[sUSP PATH] {8B0C90E5-F65B-47E7-B9F2-97CC5127BDC4}.job @ : C:\Users\Thebabinator\Desktop\cmospwd-5.0\dos\cmospwd.exe -> FOUND

[sUSP PATH] {8FC73E1B-6A23-4CBF-A56C-8A486992C279}.job @ : C:\Users\Thebabinator\Desktop\cmospwd-5.0\dos\cwsdpmi.exe -> FOUND

[sUSP PATH] {9B389360-CD68-44FF-A067-80684D1790D0}.job @ : C:\Users\Thebabinator\Desktop\ta1x-31c.exe -> FOUND

[sUSP PATH] {AD8F443F-4630-4E29-8610-C961BAE0F5DD}.job @ : C:\Users\Thebabinator\Desktop\cmospwd-5.0\dos\cmospwd.exe -> FOUND

[sUSP PATH] {B2AA6AA9-659C-483A-B4C0-D72733311850}.job @ : C:\Users\Thebabinator\Desktop\cmospwd-5.0\dos\cwsdpmi.exe -> FOUND

[sUSP PATH] {EE34EAFC-2C19-4B96-B59B-2C636589C00D}.job @ : C:\Users\Thebabinator\Desktop\Patchme.exe -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Thebabinator\AppData\Local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\n.) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\thebabinator\appdata\local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\thebabinator\appdata\local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\thebabinator\appdata\local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: C300-CTFDDAC128MAG ATA Device +++++

--- User ---

[MBR] a6590a175049b8bf75c48d018d710aab

[bSP] 9de02b76f2f8858aa2d2b85d288b24c0 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99003 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 202965210 | Size: 22999 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD25 00KS-00MJB0 SCSI Disk Device +++++

--- User ---

[MBR] 4d32a08a143d3fb382c7b79d7b6bc991

[bSP] 9d7de849d1dacc680f30899021d092ea : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 16065 | Size: 121201 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 248242176 | Size: 117261 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

MrCharlie · July 11, 2012

Run RogueKiller again and click scan > when the scan completes

Click on the Registry tab and select these > uncheck the rest

Now click Delete on the right hand side.

¤¤¤ Registry Entries: 12 ¤¤¤
[sUSP PATH] {EE34EAFC-2C19-4B96-B59B-2C636589C00D}.job @ : C:\Users\Thebabinator\Desktop\Patchme.exe -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Thebabinator\AppData\Local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\n.) -> FOUND

Do the same for these: (Click the Files/Folders tab)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\L --> FOUND
[ZeroAccess][FILE] @ : c:\users\thebabinator\appdata\local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\users\thebabinator\appdata\local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\thebabinator\appdata\local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

Let me know and post the log from RogueKiller, MrC

deathmachine78 · July 11, 2012

RogueKiller V7.6.3 [07/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Thebabinator [Admin rights]

Mode: Remove -- Date: 07/11/2012 11:33:04

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 8 ¤¤¤

[sUSP PATH] {0BECC515-B605-4B70-9119-5D20A43DF913}.job @ : C:\Users\Thebabinator\Desktop\cmospwd-5.0\dos\cmospwd.exe -> NOT SELECTED

[sUSP PATH] {8B0C90E5-F65B-47E7-B9F2-97CC5127BDC4}.job @ : C:\Users\Thebabinator\Desktop\cmospwd-5.0\dos\cmospwd.exe -> NOT SELECTED

[sUSP PATH] {8FC73E1B-6A23-4CBF-A56C-8A486992C279}.job @ : C:\Users\Thebabinator\Desktop\cmospwd-5.0\dos\cwsdpmi.exe -> NOT SELECTED

[sUSP PATH] {9B389360-CD68-44FF-A067-80684D1790D0}.job @ : C:\Users\Thebabinator\Desktop\ta1x-31c.exe -> NOT SELECTED

[sUSP PATH] {AD8F443F-4630-4E29-8610-C961BAE0F5DD}.job @ : C:\Users\Thebabinator\Desktop\cmospwd-5.0\dos\cmospwd.exe -> NOT SELECTED

[sUSP PATH] {B2AA6AA9-659C-483A-B4C0-D72733311850}.job @ : C:\Users\Thebabinator\Desktop\cmospwd-5.0\dos\cwsdpmi.exe -> NOT SELECTED

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\@ --> REMOVED AT REBOOT

[ZeroAccess][FOLDER] U : c:\windows\installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\U --> RAR ERROR

[ZeroAccess][FOLDER] L : c:\windows\installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\L --> RAR ERROR

[ZeroAccess][FOLDER] @ : c:\users\thebabinator\appdata\local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\@ --> RAR ERROR

[ZeroAccess][FOLDER] U : c:\users\thebabinator\appdata\local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\U --> RAR ERROR

[ZeroAccess][FOLDER] L : c:\users\thebabinator\appdata\local\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\L --> RAR ERROR

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> REMOVED AT REBOOT

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> REMOVED AT REBOOT

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: C300-CTFDDAC128MAG ATA Device +++++

--- User ---

[MBR] a6590a175049b8bf75c48d018d710aab

[bSP] 9de02b76f2f8858aa2d2b85d288b24c0 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99003 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 202965210 | Size: 22999 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD25 00KS-00MJB0 SCSI Disk Device +++++

--- User ---

[MBR] 4d32a08a143d3fb382c7b79d7b6bc991

[bSP] 9d7de849d1dacc680f30899021d092ea : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 16065 | Size: 121201 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 248242176 | Size: 117261 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[4].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

MrCharlie · July 11, 2012

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

deathmachine78 · July 11, 2012

i tried running combofix. it runs but i cant find any logs any where and it took like 1 minute then just closed.

MrCharlie · July 11, 2012

OK, please do this instead..........

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

deathmachine78 · July 11, 2012

Scan result of Farbar Recovery Scan Tool Version: 11-07-2012

Ran by SYSTEM at 11-07-2012 12:19:25

Running from I:\

Windows 7 Professional (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [VX3000] C:\Windows\vVX3000.exe [762736 2010-05-20] (Microsoft Corporation)

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-05] (Adobe Systems Incorporated)

HKLM\...\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" [1873288 2011-08-01] (Microsoft Corporation)

HKLM\...\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)

HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [x]

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [13307496 2011-10-17] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg_DTS] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORDTSUPTBT [2278504 2011-10-14] (Realtek Semiconductor)

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKLM-x32\...\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" [119152 2010-05-20] (Microsoft Corporation)

HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [402432 2010-07-22] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM-x32\...\Run: [TurboV] "C:\Program Files (x86)\ASUS\TurboV\TurboV.exe" -b [5665280 2009-11-19] (ASUSTeK Computer Inc.)

HKLM-x32\...\Run: [QFan Help] "C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe" [611968 2010-01-13] (ASUSTeK Computer Inc.)

HKLM-x32\...\Run: [Cpu Level Up help] "C:\Program Files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe" [887936 2009-12-28] ()

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)

HKU\Mcx1-ENDEVER\...\Winlogon: [shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-13] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.42.1

==================== Services (Whitelisted) ======

2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [90112 2009-08-19] (ASUSTeK Computer Inc.)

2 DTSAudioService; "C:\Program Files\Realtek\Audio\HDA\DTSAudioService64.exe" [210024 2011-05-31] (DTS)

2 IHA_MessageCenter; "C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [290832 2011-12-12] (Verizon)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-06-06] ()

========================== Drivers (Whitelisted) =============

1 AsIO; C:\Windows\SysWow64\Drivers\AsIO.sys [13440 2009-08-03] ()

1 AsUpIO; C:\Windows\SysWow64\Drivers\AsUpIO.sys [13368 2009-07-05] ()

3 DroidCam; C:\Windows\System32\Drivers\DroidCam.sys [25216 2011-09-23] (Dev47Apps)

3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33856 2009-03-18] (LogMeIn, Inc.)

3 lmimirr; C:\Windows\System32\Drivers\lmimirr.sys [11552 2011-09-16] (LogMeIn, Inc.)

2 LMIRfsDriver; C:\Windows\System32\Drivers\LMIRfsDriver.sys [72216 2011-09-16] (LogMeIn, Inc.)

3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] ()

3 pwdrvio; \??\C:\Windows\system32\pwdrvio.sys [19936 2011-09-02] ()

3 pwdspio; \??\C:\Windows\system32\pwdspio.sys [13280 2011-09-02] ()

3 Spyder4; C:\Windows\System32\DRIVERS\dccmtr.sys [15360 2011-06-02] (Datacolor)

3 VX3000; C:\Windows\System32\Drivers\VX3000.sys [2060144 2010-05-20] (Microsoft Corporation)

3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()

3 ALSysIO; \??\C:\Users\THEBAB~1\AppData\Local\Temp\ALSysIO64.sys [x]

3 BFE; . [x]

3 BTCFilterService; C:\Windows\System32\DRIVERS\motfilt.sys [x]

2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [x]

4 LMIRfsClientNP; [x]

3 motandroidusb; C:\Windows\System32\Drivers\motoandroid.sys [x]

3 motccgp; C:\Windows\System32\DRIVERS\motccgp.sys [x]

3 motccgpfl; C:\Windows\System32\DRIVERS\motccgpfl.sys [x]

3 motmodem; C:\Windows\System32\DRIVERS\motmodem.sys [x]

3 MotoSwitchService; C:\Windows\System32\DRIVERS\motswch.sys [x]

3 Motousbnet; C:\Windows\System32\DRIVERS\Motousbnet.sys [x]

3 VBoxNetFlt; C:\Windows\System32\DRIVERS\VBoxNetFlt.sys [x]

0 vmci; C:\Windows\System32\DRIVERS\vmci.sys [x]

3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-11 12:19 - 2012-07-11 12:19 - 00000000 ____D C:\FRST

2012-07-11 07:56 - 2012-07-11 07:56 - 04576462 ____R (Swearware) C:\Users\Thebabinator\Desktop\ComboFix.exe

2012-07-11 07:48 - 2012-07-11 07:56 - 00000000 ___SD C:\32788R22FWJFW

2012-07-11 07:48 - 2012-07-11 07:48 - 00000000 ____D C:\Windows\erdnt

2012-07-11 07:48 - 2012-07-11 07:48 - 00000000 ____D C:\Qoobox

2012-07-11 07:33 - 2012-07-11 07:33 - 00003430 ____A C:\Users\Thebabinator\Desktop\RKreport[4].txt

2012-07-11 07:32 - 2012-07-11 07:32 - 00003412 ____A C:\Users\Thebabinator\Desktop\RKreport[3].txt

2012-07-11 07:30 - 2012-07-11 07:30 - 00004848 ____A C:\Users\Thebabinator\Desktop\RKreport[2].txt

2012-07-11 07:16 - 2012-07-11 07:16 - 00003619 ____A C:\Users\Thebabinator\Desktop\RKreport[1].txt

2012-07-11 07:15 - 2012-07-11 07:30 - 00000000 ____D C:\Users\Thebabinator\Desktop\RK_Quarantine

2012-07-11 07:15 - 2012-07-11 07:15 - 01558016 ____A C:\Users\Thebabinator\Desktop\RogueKiller.exe

2012-07-11 06:46 - 2012-07-11 06:46 - 00011546 ____A C:\Users\Thebabinator\Desktop\Attach.txt

2012-07-11 06:45 - 2012-07-11 06:45 - 00022923 ____A C:\Users\Thebabinator\Desktop\DDS.txt

2012-07-11 06:44 - 2012-07-11 06:44 - 00607260 ____R (Swearware) C:\Users\Thebabinator\Desktop\dds.com

2012-07-08 10:36 - 2012-07-08 10:36 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-06-25 11:11 - 2012-06-25 11:11 - 00000000 ____D C:\Windows\.soulsplit

2012-06-23 14:28 - 2012-06-23 14:28 - 00000000 ____D C:\Users\Thebabinator\AppData\Local\Macromedia

2012-06-22 06:12 - 2012-05-15 02:48 - 25743168 ____A (NVIDIA Corporation) C:\Windows\System32\nvoglv64.dll

2012-06-22 06:12 - 2012-05-15 02:48 - 25248064 ____A (NVIDIA Corporation) C:\Windows\System32\nvcompiler.dll

2012-06-22 06:12 - 2012-05-15 02:48 - 19607872 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll

2012-06-22 06:12 - 2012-05-15 02:48 - 17551680 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll

2012-06-22 06:12 - 2012-05-15 02:48 - 14298944 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvlddmkm.sys

2012-06-22 06:12 - 2012-05-15 02:48 - 08139072 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuda.dll

2012-06-22 06:12 - 2012-05-15 02:48 - 05982528 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll

2012-06-22 06:12 - 2012-05-15 02:48 - 02881856 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvenc.dll

2012-06-22 06:12 - 2012-05-15 02:48 - 02681664 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvid.dll

2012-06-22 06:12 - 2012-05-15 02:48 - 02524992 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll

2012-06-22 06:12 - 2012-05-15 02:48 - 02445120 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll

2012-06-22 06:05 - 2012-06-22 06:05 - 00000000 ____D C:\Users\Thebabinator\AppData\Local\{7AD2F1CE-DA85-495B-A4BD-30A64E58AD44}

2012-06-21 05:17 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-21 05:17 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-21 05:17 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-21 05:17 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-21 05:17 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-21 05:17 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-21 05:17 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-21 05:17 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-21 05:17 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-18 13:42 - 2012-06-18 13:42 - 00000000 ____D C:\Users\Thebabinator\AppData\Local\{F3DB0B5C-C114-402F-ACE6-755A217F2932}

2012-06-18 13:42 - 2012-06-18 13:42 - 00000000 ____D C:\Users\Thebabinator\AppData\Local\{E7573ED6-497E-4785-A615-15C7EE4D2863}

2012-06-18 13:41 - 2012-06-18 13:41 - 00000000 ____D C:\Windows\en

2012-06-18 13:41 - 2012-06-18 13:41 - 00000000 ____D C:\Users\Thebabinator\AppData\Local\{14BCADF6-5E3B-4018-ACDC-64FAD374D0A5}

2012-06-18 13:39 - 2012-06-18 13:39 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition

2012-06-18 13:37 - 2012-06-18 13:38 - 00000000 ____D C:\Program Files (x86)\Windows Live

2012-06-18 13:36 - 2012-06-22 06:05 - 00000000 ____D C:\Users\Thebabinator\AppData\Local\Windows Live

2012-06-13 20:35 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-13 20:35 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-13 20:35 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-13 20:35 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-13 20:35 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-13 20:35 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-13 20:35 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-13 20:35 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-13 20:35 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-13 20:35 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-13 20:35 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-13 20:35 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-13 20:35 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-13 20:35 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-13 20:35 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-13 20:35 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-13 20:35 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-13 20:35 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-13 20:35 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-13 20:35 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-13 20:35 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-13 20:35 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-13 20:35 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-13 20:35 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-13 20:35 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-13 20:35 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-13 20:35 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-13 20:35 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-13 13:38 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-06-13 13:38 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-06-13 13:38 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-06-13 13:37 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-06-13 13:36 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-13 13:36 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-06-13 13:36 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-06-13 13:36 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-06-13 13:35 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-06-13 13:35 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll

2012-06-13 13:35 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll

2012-06-13 13:34 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-06-13 13:34 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-06-13 13:34 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-06-13 13:34 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2012-06-13 13:34 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2012-06-13 13:34 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

============ 3 Months Modified Files ========================

2012-07-11 08:15 - 2011-05-17 15:27 - 01527437 ____A C:\Windows\WindowsUpdate.log

2012-07-11 07:56 - 2012-07-11 07:56 - 04576462 ____R (Swearware) C:\Users\Thebabinator\Desktop\ComboFix.exe

2012-07-11 07:33 - 2012-07-11 07:33 - 00003430 ____A C:\Users\Thebabinator\Desktop\RKreport[4].txt

2012-07-11 07:32 - 2012-07-11 07:32 - 00003412 ____A C:\Users\Thebabinator\Desktop\RKreport[3].txt

2012-07-11 07:30 - 2012-07-11 07:30 - 00004848 ____A C:\Users\Thebabinator\Desktop\RKreport[2].txt

2012-07-11 07:17 - 2012-04-02 10:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-07-11 07:16 - 2012-07-11 07:16 - 00003619 ____A C:\Users\Thebabinator\Desktop\RKreport[1].txt

2012-07-11 07:15 - 2012-07-11 07:15 - 01558016 ____A C:\Users\Thebabinator\Desktop\RogueKiller.exe

2012-07-11 06:46 - 2012-07-11 06:46 - 00011546 ____A C:\Users\Thebabinator\Desktop\Attach.txt

2012-07-11 06:45 - 2012-07-11 06:45 - 00022923 ____A C:\Users\Thebabinator\Desktop\DDS.txt

2012-07-11 06:44 - 2012-07-11 06:44 - 00607260 ____R (Swearware) C:\Users\Thebabinator\Desktop\dds.com

2012-07-11 06:44 - 2009-07-13 20:45 - 00015376 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-11 06:44 - 2009-07-13 20:45 - 00015376 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-11 06:42 - 2009-07-13 21:13 - 00734096 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-11 06:37 - 2012-04-24 12:53 - 00009346 ____A C:\Windows\setupact.log

2012-07-11 06:37 - 2011-05-17 16:04 - 00429460 ____A C:\Windows\PFRO.log

2012-07-11 06:37 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-10 16:42 - 2012-02-23 05:50 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-09 12:24 - 2012-06-03 19:31 - 00282104 ____A C:\Windows\SysWOW64\PnkBstrB.exe

2012-07-09 12:24 - 2011-09-23 16:56 - 00282104 ____A C:\Windows\SysWOW64\PnkBstrB.xtr

2012-07-09 12:24 - 2011-09-23 16:53 - 00234768 ____A C:\Windows\SysWOW64\PnkBstrB.ex0

2012-07-08 15:17 - 2012-05-29 14:50 - 00000362 _RASH C:\Users\All Users\ntuser.pol

2012-06-23 14:17 - 2012-04-02 10:49 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-06-23 14:17 - 2011-05-25 14:27 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-06-18 13:37 - 2011-11-21 17:32 - 00139474 ____A C:\Windows\DirectX.log

2012-06-14 06:35 - 2009-07-13 20:45 - 04978200 ____A C:\Windows\System32\FNTCACHE.DAT

2012-06-13 20:39 - 2011-05-17 15:47 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-06-07 15:44 - 2012-06-07 15:44 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_dccmtr_01001.Wdf

2012-06-07 15:43 - 2012-06-07 15:43 - 00002123 ____A C:\Users\UpdatusUser\Desktop\Spyder4Pro 4.5.4.lnk

2012-06-07 15:43 - 2012-06-07 15:43 - 00002123 ____A C:\Users\Thebabinator\Desktop\Spyder4Pro 4.5.4.lnk

2012-06-07 15:43 - 2012-06-07 15:43 - 00002123 ____A C:\Users\Mcx1-ENDEVER\Desktop\Spyder4Pro 4.5.4.lnk

2012-06-07 15:42 - 2012-06-07 15:41 - 77526936 ____A C:\Users\mbabin\Downloads\Spyder4Pro_4.5.4__Setup.exe

2012-06-07 15:40 - 2012-06-07 15:40 - 00110568 ____A C:\Users\mbabin\AppData\Local\GDIPFONTCACHEV1.DAT

2012-06-07 15:39 - 2012-06-07 15:39 - 00000020 __ASH C:\Users\mbabin\ntuser.ini

2012-06-06 10:14 - 2012-06-03 19:31 - 00076888 ____A C:\Windows\SysWOW64\PnkBstrA.exe

2012-06-04 09:59 - 2012-06-04 09:59 - 02872597 ____A C:\Users\Thebabinator\Desktop\pylib-2.3.4.zip

2012-06-02 14:19 - 2012-06-21 05:17 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-21 05:17 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-21 05:17 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-21 05:17 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-21 05:17 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-21 05:17 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-21 05:17 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 11:19 - 2012-06-21 05:17 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-21 05:17 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-05-31 17:11 - 2012-05-31 17:11 - 00118120 ____A C:\Users\Thebabinator\Desktop\Untitled-1.psd

2012-05-31 16:51 - 2012-05-31 16:46 - 00001456 ____A C:\Users\Thebabinator\AppData\Local\Adobe Save for Web 12.0 Prefs

2012-05-29 14:50 - 2012-05-29 14:50 - 00000020 ___SH C:\Users\Mcx1-ENDEVER\ntuser.ini

2012-05-26 15:03 - 2011-05-18 15:53 - 00227784 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2012-05-26 15:03 - 2011-05-18 15:53 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2012-05-26 15:03 - 2011-05-18 15:53 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2012-05-22 13:32 - 2012-05-22 13:32 - 00002727 ____A C:\Users\Public\Desktop\Vz In-Home Agent.lnk

2012-05-22 13:32 - 2012-05-22 13:32 - 00000260 ____A C:\Windows\SysWOW64\cmdVBS.vbs

2012-05-22 13:32 - 2012-05-22 13:32 - 00000256 ____A C:\Windows\SysWOW64\MSIevent.bat

2012-05-22 02:49 - 2009-07-13 21:08 - 00032566 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-05-17 18:47 - 2012-06-13 20:35 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-05-17 18:16 - 2012-06-13 20:35 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-05-17 18:06 - 2012-06-13 20:35 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-05-17 17:59 - 2012-06-13 20:35 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-17 17:59 - 2012-06-13 20:35 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-05-17 17:58 - 2012-06-13 20:35 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-05-17 17:58 - 2012-06-13 20:35 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-05-17 17:56 - 2012-06-13 20:35 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-17 17:55 - 2012-06-13 20:35 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-05-17 17:55 - 2012-06-13 20:35 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-05-17 17:54 - 2012-06-13 20:35 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-05-17 17:51 - 2012-06-13 20:35 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-05-17 17:51 - 2012-06-13 20:35 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-05-17 17:47 - 2012-06-13 20:35 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-05-17 15:11 - 2012-06-13 20:35 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-05-17 14:48 - 2012-06-13 20:35 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-05-17 14:45 - 2012-06-13 20:35 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-05-17 14:36 - 2012-06-13 20:35 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-05-17 14:35 - 2012-06-13 20:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-05-17 14:35 - 2012-06-13 20:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-05-17 14:33 - 2012-06-13 20:35 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-05-17 14:31 - 2012-06-13 20:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-05-17 14:29 - 2012-06-13 20:35 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-05-17 14:29 - 2012-06-13 20:35 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-05-17 14:27 - 2012-06-13 20:35 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-05-17 14:25 - 2012-06-13 20:35 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-05-17 14:24 - 2012-06-13 20:35 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-05-17 14:20 - 2012-06-13 20:35 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-05-15 02:48 - 2012-06-22 06:12 - 25743168 ____A (NVIDIA Corporation) C:\Windows\System32\nvoglv64.dll

2012-05-15 02:48 - 2012-06-22 06:12 - 25248064 ____A (NVIDIA Corporation) C:\Windows\System32\nvcompiler.dll

2012-05-15 02:48 - 2012-06-22 06:12 - 19607872 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll

2012-05-15 02:48 - 2012-06-22 06:12 - 17551680 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll

2012-05-15 02:48 - 2012-06-22 06:12 - 14298944 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvlddmkm.sys

2012-05-15 02:48 - 2012-06-22 06:12 - 08139072 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuda.dll

2012-05-15 02:48 - 2012-06-22 06:12 - 05982528 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll

2012-05-15 02:48 - 2012-06-22 06:12 - 02881856 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvenc.dll

2012-05-15 02:48 - 2012-06-22 06:12 - 02681664 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvid.dll

2012-05-15 02:48 - 2012-06-22 06:12 - 02524992 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll

2012-05-15 02:48 - 2012-06-22 06:12 - 02445120 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll

2012-05-15 02:48 - 2012-04-21 08:19 - 18044224 ____A (NVIDIA Corporation) C:\Windows\System32\nvd3dumx.dll

2012-05-15 02:48 - 2012-04-21 08:19 - 15322432 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll

2012-05-15 02:48 - 2012-04-21 08:19 - 00068928 ____A (Khronos Group) C:\Windows\System32\OpenCL.dll

2012-05-15 02:48 - 2012-04-21 08:19 - 00061248 ____A (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll

2012-05-15 02:48 - 2012-04-21 07:32 - 02368832 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll

2012-05-15 02:48 - 2012-02-09 18:43 - 08105280 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll

2012-05-15 02:48 - 2012-02-09 18:43 - 01738048 ____A (NVIDIA Corporation) C:\Windows\System32\nvdispco64.dll

2012-05-15 02:48 - 2012-02-09 18:43 - 01468224 ____A (NVIDIA Corporation) C:\Windows\System32\nvgenco64.dll

2012-05-15 02:48 - 2010-07-10 01:38 - 02741568 ____A (NVIDIA Corporation) C:\Windows\System32\nvapi64.dll

2012-05-15 02:48 - 2010-07-10 01:38 - 00014324 ____A C:\Windows\System32\nvinfo.pb

2012-05-15 02:48 - 2009-07-13 13:59 - 10194752 ____A (NVIDIA Corporation) C:\Windows\System32\nvwgf2umx.dll

2012-05-15 01:29 - 2011-02-22 21:39 - 03149632 ____A (NVIDIA Corporation) C:\Windows\System32\nvsvc64.dll

2012-05-15 01:29 - 2011-02-22 21:38 - 00889664 ____A (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

2012-05-15 01:29 - 2011-02-22 21:38 - 00118080 ____A (NVIDIA Corporation) C:\Windows\System32\nvmctray.dll

2012-05-15 01:29 - 2010-07-09 12:27 - 00063296 ____A (NVIDIA Corporation) C:\Windows\System32\nvshext.dll

2012-05-15 01:28 - 2011-02-22 21:39 - 06151488 ____A (NVIDIA Corporation) C:\Windows\System32\nvcpl.dll

2012-05-14 22:21 - 2012-05-14 22:21 - 00423744 ____A C:\Windows\SysWOW64\nvStreaming.exe

2012-05-14 17:32 - 2012-06-13 13:36 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-05-12 09:16 - 2012-05-12 08:54 - 00000716 ____A C:\Users\Thebabinator\AppData\Local\springsettings.cfg

2012-05-12 08:54 - 2012-05-12 08:54 - 00001853 ____A C:\Users\UpdatusUser\Desktop\Spring lobby-client Zero-K.lnk

2012-05-12 08:54 - 2012-05-12 08:54 - 00001010 ____A C:\Users\UpdatusUser\Desktop\SpringLobby.lnk

2012-05-04 03:06 - 2012-06-13 13:36 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-04 02:03 - 2012-06-13 13:36 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-05-04 02:03 - 2012-06-13 13:36 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-04-30 21:40 - 2012-06-13 13:37 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-04-27 19:55 - 2012-06-13 13:35 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-25 21:41 - 2012-06-13 13:38 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-04-25 21:41 - 2012-06-13 13:38 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-04-25 21:34 - 2012-06-13 13:38 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-04-25 17:02 - 2011-05-17 16:42 - 00747690 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-04-25 17:02 - 2011-05-17 16:42 - 00001945 ____A C:\Windows\epplauncher.mif

2012-04-24 12:53 - 2012-04-24 12:53 - 00000000 ____A C:\Windows\setuperr.log

2012-04-23 21:37 - 2012-06-13 13:34 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-04-23 21:37 - 2012-06-13 13:34 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-04-23 21:37 - 2012-06-13 13:34 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-04-23 20:36 - 2012-06-13 13:34 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2012-04-23 20:36 - 2012-06-13 13:34 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2012-04-23 20:36 - 2012-06-13 13:34 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

2012-04-21 08:21 - 2012-04-21 08:21 - 00000020 ___SH C:\Users\UpdatusUser\ntuser.ini

ZeroAccess:

C:\Windows\Installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}

C:\Windows\Installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\@

C:\Windows\Installer\{45baf912-b4a1-68c5-f4fb-cbb596d96c7e}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 8%

Total physical RAM: 12279.11 MB

Available physical RAM: 11277.68 MB

Total Pagefile: 12277.26 MB

Available Pagefile: 11272.09 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:96.68 GB) (Free:6.18 GB) NTFS

2 Drive d: (backup data) (Fixed) (Total:114.51 GB) (Free:12.33 GB) NTFS

3 Drive e: () (Fixed) (Total:118.36 GB) (Free:97.67 GB) NTFS

4 Drive g: () (Fixed) (Total:22.46 GB) (Free:22.37 GB) NTFS

6 Drive i: () (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT32

7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

8 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 119 GB 0 B

Disk 1 Online 232 GB 9 MB

Disk 2 Online 962 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 96 GB 101 MB

Partition 3 Primary 22 GB 96 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 96 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 G NTFS Partition 22 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 0 Extended 118 GB 8032 KB

Partition 2 Logical 118 GB 8064 KB

Partition 1 Primary 114 GB 118 GB

==================================================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E NTFS Partition 118 GB Healthy

==================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 D backup data NTFS Partition 114 GB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 961 MB 30 KB

==================================================================================

Disk: 2

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 I FAT32 Removable 961 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-27 20:48

======================= End Of Log ==========================

MrCharlie · July 11, 2012

services.exe is infected and has to be replaced:

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

In Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

MrC

deathmachine78 · July 11, 2012

it didn't create search.txt, just FRST.txt. so here is FRST.txt

Scan result of Farbar Recovery Scan Tool Version: 11-07-2012

Ran by SYSTEM at 11-07-2012 12:42:05